192.x.x.x IP Addresses

Unanswered Question
Mar 13th, 2002

I thought that the 192.x.x.x ip addresses were supposed to be non-routable on the internet? I get a ton of UDP Packet sig 4000 sub sig 69 from source addresses of 192.x.x.x. They actually just started today. Does anyone know the answer to the 1st question and maybe someone might know about the UPD Packet sig 4000 sub sig 69 (src port 53 / dest port 69 which leads me to think something wants to do tftp..?)

Thanks Valerie

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
m-raft Wed, 03/13/2002 - 15:24

Actually, 192.168.x.x addresses are private. If the IP addresses are not in this range they are ligit. As for the sig 4000 we ran into a similar situation with one of our sites. We had a PIX that was performing pat and when we investigated the conn table on the pix we found that one of the internal boxes got patted to source port 69 when doing dnz queries. This also lit up our IDS sensor for tftp connections. We were getting hundreds of connections an hour. We killed the connection and watched the conn table again and that box got patted to another low end port <1024 but not 69. That solved our problem.

Hope that helps

vwalsh Thu, 03/14/2002 - 10:13

Thank you!

And what you described about the PIX / pat & the internal box with a source port of 69 - was probably exactly what happened - we got hammered for about 1 1/2 hours & then nothing - so the user probably turned their system off.

crossmanj Wed, 03/13/2002 - 15:30

192.168.x.x are private addresses, and are not routable on the Internet. However, not routable means that no packed with this address as a destination field will get delivered once it's left your enterprise. There's nothing in the default config of most ISP's or enterprises that prevent the delivery of a packet with a private address as a SOURCE address.

Hope this helps....

c-gaspar Thu, 03/14/2002 - 11:21

Only 192.168.x.x addresses are non-routable/private. It is entirely possible to receive packets from 192.x.x.x addresses but you should not recieve packets from 192.168.x.x

Hope this helps,

Chris G.

crossmanj Thu, 03/14/2002 - 12:40

Actually, that is incorrect - unless as an enterprise you have inbound packet filtering.

Here is a simple test, traceroute from the calweb public traceroute server at <http://www.calweb.com/cgi-bin/traceroute> to www.xylan.com (because they have a privately addressed router on the their side of the Internet):

traceroute to www.xylan.com (208.8.0.228), 30 hops max, 40 byte packets

1 cisco (209.210.251.1) 0.445 ms 0.486 ms 0.450 ms

2 s8-1-1.gw01.scrl.eli.net (209.210.249.37) 3.237 ms 3.844 ms 0.819 ms

3 srp0-0-0.ar02.scrl.eli.net (208.186.20.21) 0.919 ms 1.565 ms 1.096 ms

4 sl-gw25-stk-1-0-155M.sprintlink.net (160.81.16.1) 1.900 ms 1.971 ms 1.761 ms

5 sl-bb20-stk-8-1.sprintlink.net (144.232.4.217) 3.372 ms 2.025 ms 4.218 ms

6 sl-bb23-sj-5-1.sprintlink.net (144.232.9.165) 4.683 ms 7.640 ms 4.831 ms

7 sl-bb23-ana-11-1.sprintlink.net (144.232.18.217) 12.698 ms 13.235 ms 13.230 ms

8 sl-gw24-ana-10-0.sprintlink.net (144.232.1.158) 14.784 ms 12.284 ms 12.080 ms

9 sl-swb-47-0.sprintlink.net (144.232.254.54) 15.777 ms 13.676 ms 14.701 ms

10 ded3-gig0-0-0.lsan03.pbi.net (206.13.29.194) 14.347 ms 14.898 ms 16.339 ms

11 vip-Xylan.cust-rtr.pacbell.net (216.102.188.106) 18.443 ms 16.762 ms 17.201 ms

12 192.168.255.252 (192.168.255.252) 23.358 ms 20.281 ms 22.894 ms

13 www.ind.alcatel.com (208.8.0.228) 20.907 ms * 17.574 ms

Look at the 12th hop. When their router expires the traceroute packet due to TTL expiration, the router sent us an ICMP type 11 packet notifying us of this and it was addressed with a source address of their router. In this case, it was 192.168.255.252.

You won't be able to address a packet to it as a destination because it is a non-routable address. But nothing except a border router's ingress ACL will filter it - and most enterprises don't put such filters in place. No major ISP that I know of will filter a RFC1518 address when it is the *SOURCE* address.

I had to use a public traceroute server because we do filter inbound packets. :-)

crossmanj Thu, 03/14/2002 - 12:56

Oops! I meant to say either RFC1597 or RFC1918. Citing RFC1518 was an error - the numbers must've been crosslinked in my head. :-)

jmccurle Mon, 04/15/2002 - 09:42

In connection with packets received from private or reserved address space - has anyone noticed malicious activity?

Actions

Login or Register to take actions

This Discussion

Posted March 13, 2002 at 1:36 PM
Stats:
Replies:8 Avg. Rating:
Views:789 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard